cbcvebase.
CVE-2026-20262
published 2026-06-15

CVE-2026-20262: A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or…

PriorityP186medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-29
Exploited in the wild
EPSS
7.68%
93.8th percentile
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.

Affected

382 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocatalyst_sd-wan_manager< 20.9.9.220.9.9.2
ciscocatalyst_sd-wan_manager>= 20.10 < 20.12.7.220.12.7.2
ciscocatalyst_sd-wan_manager>= 20.13 < 20.15.4.520.15.4.5
ciscocatalyst_sd-wan_manager>= 20.15.5 < 20.15.5.320.15.5.3
ciscocatalyst_sd-wan_manager>= 20.16 < 20.18.3.120.18.3.1
ciscocatalyst_sd-wan_manager>= 26.1 < 26.1.1.226.1.1.2
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager
ciscocisco_catalyst_sd-wan_manager

Detection & IOCsextracted from sources · hover to see the quote

  • Look for crafted HTTP requests targeting file upload API endpoints on Cisco Catalyst SD-WAN Manager (formerly vManage), which may indicate exploitation of the arbitrary file write vulnerability.
  • CVE-2026-20262 is confirmed under active exploitation in the wild; prioritize detection and forensic triage on internet-exposed Cisco Catalyst SD-WAN Manager instances.
  • Monitor for unexpected file creation or file overwrites on the underlying OS of Cisco Catalyst SD-WAN Manager, as a successful exploit allows creation or overwrite of any file, which may later be leveraged for privilege escalation to root.
  • Exploitation requires authenticated access with at least a lower-privileged, single-task user account; audit SD-WAN Manager authentication logs for anomalous low-privilege account activity followed by file upload API calls.
  • The vulnerability is classified as a directory or path traversal flaw; inspect HTTP request logs for path traversal patterns (e.g., ../, %2e%2e%2f) in file upload API requests to SD-WAN Manager.
  • ·CISA BOD 26-04 forensic triage requirements apply to this CVE; organizations must follow the linked forensics triage guidance in addition to patching.
  • ·CISA remediation due date for CVE-2026-20262 is 2026-06-29; organizations subject to BOD 26-04 must patch by this date.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.